OPM Breach Notification Frustrates Hacked Feds

Some victims of the massive hack expressed fear their privacy might be violated by fraud-protection services the government has outsourced to private companies.

National Journal
Aliya Sternstein, Nextgov
Add to Briefcase
See more stories about...
Aliya Sternstein, Nextgov
June 22, 2015, 6:31 a.m.

Some vic­tims of the massive hack of fed­er­al per­son­nel re­cords ex­pressed fear their pri­vacy might be vi­ol­ated by fraud-pro­tec­tion ser­vices the gov­ern­ment has out­sourced to private com­pan­ies.

As a res­ult, some say they are not en­rolling for the free pro­gram, and at least one Wash­ing­ton-area sen­at­or, cit­ing poor per­form­ance, said it may be time to ter­min­ate one com­pany’s con­tract.

The Of­fice of Per­son­nel Man­age­ment is pay­ing prime vendor Win­vale $21 mil­lion to of­fer cred­it mon­it­or­ing and oth­er safe­guards to 4.2 mil­lion former and cur­rent em­ploy­ees whose per­son­al in­form­a­tion was po­ten­tially ex­trac­ted by sus­pec­ted Chinese hack­ers.

But to ob­tain the ser­vices, fed­er­al work­ers — some of whose in­ner­most per­son­al secrets were taken in a second, re­lated breach — must hand over ad­di­tion­al con­fid­en­tial in­form­a­tion to an­oth­er com­pany, CSID, which has partnered with Win­vale. Data on people who have un­der­gone back­ground-check in­vest­ig­a­tions for sens­it­ive gov­ern­ment po­s­i­tions was en­snared in a sep­ar­ate hack of an OPM sys­tem.

Pri­vacy Policy?

One former secret-clear­ance hold­er, who asked to re­main an­onym­ous be­cause she still does busi­ness with the gov­ern­ment and be­cause of pri­vacy con­cerns, op­ted to re­gister for the ser­vices. Now, she has mis­giv­ings.

On CSID’s web­site, she was asked a series of se­cur­ity ques­tions to prove she was who she claimed to be, one of which ques­tioned wheth­er she had any stu­dent loans, the wo­man said. She says she answered no. The next day, her cell phone — which she says has nev­er re­ceived tele­market­ing calls — re­ceived three rob­ocalls ad­vising her she qual­i­fies for gov­ern­ment as­sist­ance on a stu­dent loan, said the former em­ploy­ee, who re­tired 18 months ago after 20 years of ser­vice.

“I just thought that is such a strange co­in­cid­ence that I get this call after I have had a se­cur­ity ques­tion in­volving wheth­er or not I’ve had a stu­dent loan,” she said. “And I’m not a con­spir­acy the­or­ist.”

The em­ploy­ee sent a mes­sage to OPM through the of­fi­cial CSID email ad­dress shar­ing de­tails of her ex­per­i­ences au­then­tic­at­ing her iden­tity and then re­ceiv­ing so­li­cit­a­tions re­flect­ing know­ledge of her stu­dent-loan eli­gib­il­ity. The em­ploy­ee shared the email with Nex­t­gov. In re­sponse, she re­ceived an off-top­ic form let­ter in­struct­ing her how to sign up for cred­it mon­it­or­ing, also shared with Nex­t­gov.

OPM of­fi­cials say they have been in con­tact with CSID about a vague com­plaint along these lines and told the com­pany that vic­tims’ data must not be used for oth­er of­fer­ings.

“The is­sue was im­me­di­ately ad­dressed with the com­pany to en­sure a com­mon un­der­stand­ing of the gov­ern­ment’s po­s­i­tion that OPM cus­tom­ers would not be so­li­cited to buy oth­er ser­vices as part of the en­roll­ment pro­cess,” OPM spokes­man Sam Schu­mach said.

However, after the free-sub­scrip­tion peri­od is over, CSID is al­lowed to “ap­proach in­di­vidu­als re­gard­ing their de­sire to ex­tend ser­vices,” he said.

CSID of­fi­cials said the com­pany’s ser­vices would not have triggered any tele­market­ing.

“Any calls from so­li­cit­ors en­rollees re­ceived was simply a co­in­cid­ence,” CSID spokes­man Patrick Hill­mann said. “CSID has nev­er, nor ever will, sell or share any of our sub­scribers in­form­a­tion. That is ex­pli­citly stated in our terms and con­di­tions as well as in our pri­vacy policies.”

OPM’s deal with Win­vale states any data the gov­ern­ment provides the con­tract­or and sub­con­tract­ors like CSID must only be used for the agreed-to ID-theft pro­tec­tion ser­vices.

Straight to the Junk Folder?

Some of the em­ploy­ees re­ceiv­ing no­ti­fic­a­tions say they are not even thor­oughly con­vinced the no­ti­fic­a­tion let­ters are le­git­im­ate gov­ern­ment com­mu­nic­a­tions.

The no­ti­fic­a­tions carry the let­ter­head of CSID, ac­com­pan­ied by a small OPM in­signia, and dir­ect em­ploy­ees to a dot-com com­mer­cial web­site for en­roll­ment. A ma­jor­ity of the alerts are be­ing sent by email from a csid.com ad­dress.

The former clear­ance-hold­er, who re­ceived an emailed no­tice last week, said her re­ac­tion was: “Is this a le­git­im­ate email I re­ceived from OPM? Or was this part of the hack? So now I’ve gone out and answered se­cur­ity ques­tions to who?”

OPM of­fi­cials de­clined to com­ment on wheth­er they could sup­ply CSID with a val­id dot-gov email ad­dress and a val­id dot-gov web­site to as­sist with no­ti­fic­a­tion.

“Frankly, it went in­to my junk mail,” the former em­ploy­ee said. “It just so happened I was clean­ing my junk mail and went, ‘Wait a minute, this is from OPM — or it says so.’”

‘Wait­ing for Oth­ers to be the Guinea Pigs’

Some cur­rent fed­er­al per­son­nel say they will pass on the free op­por­tun­ity or wait un­til they hear pos­it­ive feed­back from col­leagues be­fore re­gis­ter­ing.

By press time, OPM and CSID of­fi­cials were not able to provide es­tim­ates of the num­ber of people no­ti­fied who have en­rolled in the ID-theft pro­tec­tion pro­gram.

An In­tern­al Rev­en­ue Ser­vice staffer, who said she holds a clear­ance and was not au­thor­ized to identi­fy her­self pub­licly, said she was wary of the CSID let­ter, which was pur­portedly sent by OPM Chief In­form­a­tion Of­ficer Donna Sey­mour. Nex­t­gov has re­viewed sim­il­ar no­ti­fic­a­tions.

“Per­haps my fed­er­al ser­vice has made me cyn­ic­al, but even in re­ceipt of a let­ter signed by the Donna K. Sey­mour, CIO of OPM, I wasn’t will­ing to take it at face value, prin­cip­ally be­cause it wasn’t on OPM let­ter­head,” the IRS em­ploy­ee said. She said she is “wait­ing for oth­ers to be the guinea pigs” be­fore sign­ing up for the CSID pro­gram.

Yet an­oth­er gov­ern­ment em­ploy­ee, who did not want her name or agency pub­lished for pri­vacy reas­ons, said she will seek fraud-con­trol help from com­pan­ies she already has re­la­tion­ships with.

“I choose not to use the ID-pro­tec­tion ser­vice be­cause I do not trust yet an­oth­er con­trac­ted ser­vice pro­vider,” she said. “I am will­ing to pay for pro­tec­tion ser­vice through a reput­able com­pany at this point.”

The 30-year fed­er­al em­ploy­ee said she has “nev­er felt this in­sec­ure about my per­son­al in­form­a­tion,” es­pe­cially after learn­ing about the hack of sys­tems hold­ing data on per­son­nel who over the years have filed 127-page forms spelling out deeply per­son­al back­ground his­tor­ies on them­selves and their as­so­ci­ates.

“That means not only my in­form­a­tion, but that of my fam­ily is at risk,” she said. “This is in­ex­cus­able.”

Sen­at­or De­mands An­swers

Law­makers say they are hear­ing sim­il­ar cri­ti­cisms from cit­izens about CSID’s per­form­ance.

On Fri­day, Sen. Mark Warner, a Demo­crat from Vir­gin­ia, home to a high con­cen­tra­tion of cur­rent and former fed­er­al work­ers, raised con­cerns about CSID with OPM Dir­ect­or Kath­er­ine Archu­leta.

“My con­stitu­ents have re­por­ted that the web­site crashes fre­quently,” among oth­er tech­nic­al dif­fi­culties con­tact­ing CSID, he said in a let­ter to Archu­leta. “Many have re­por­ted re­ceiv­ing in­ac­cur­ate or out-of-date in­form­a­tion re­gard­ing their cred­it his­tory, which calls in­to ques­tion CSID’s abil­ity to ap­pro­pri­ately pro­tect them from fraud and ID theft.”

He called for the com­pany’s con­tract to be ter­min­ated if it is un­able to deal with cus­tom­ers’ needs. The award OPM is­sued sug­gests “that pro­tect­ing em­ploy­ees ex­posed by the breach is not the top pri­or­ity for OPM that it should be,” he ad­ded. “We ex­pect that OPM will act quickly to cor­rect any such im­pres­sions.”

Re­spond­ing to Warner’s as­ser­tions, CSID’s Hill­mann said provid­ing ID-mon­it­or­ing and res­tor­a­tion ser­vices to those af­fected “is what we have been fo­cus­ing on throughout this pro­cess and what we must con­tin­ue to fo­cus on in the com­ing days and weeks. It would be in­ap­pro­pri­ate to al­low ourselves to be dis­trac­ted by nor com­ment on polit­ic­al mat­ters.”

Nex­t­gov has asked OPM of­fi­cials for com­ment on Warner’s let­ter.

What We're Following See More »
Ohio Democrats File Gerrymandering Suit
50 minutes ago

Ohio Democratic voters have filed suit against Ohio Governor John Kasich and other Republican state officials over alleged partisan gerrymandering in Ohio's electoral map. Despite capturing between 51 and 59 percent of the statewide vote in the past three elections, Republicans hold three-quarters of state congressional seats. "The U.S. Supreme Court is due by the end of June to issue major rulings in two partisan gerrymandering cases from Wisconsin and Maryland that could affect the Ohio suit."

Iran May Have Restarted Missile Program
2 hours ago

An Iranian missile scientist, killed in a strike in 2011 along with his research center, oversaw the development of a secret, second facility in the remote Iranian desert that ... is operating to this day," according to a team of California weapons experts. "For weeks, the researchers picked through satellite photos of the facility. They found, they say, that work on the site now appears to focus on advanced rocket engines and rocket fuel, and is often conducted under cover of night."

Trump Signs Security Clearance Reform into Law
2 hours ago

"President Trump signed a bill Tuesday aimed at reducing the backlog of security clearance investigations — but later reserved the right not to comply with it on constitutional grounds. In a signing statement Tuesday night, Trump said provisions of the bill — the Securely Expediting Clearances Through Reporting Transparency Act of 2018, or SECRET Act — encroach on his authority as commander-in-chief."

FBI Exaggerated Encryption Threat
3 hours ago

"The FBI has repeatedly provided grossly inflated statistics to Congress and the public about the extent of problems posed by encrypted cellphones, claiming investigators were locked out of nearly 7,800 devices connected to crimes last year when...one internal estimate put the correct number of locked phones at 1,200." The FBI has maintained that the spread of encrypted software "can block investigators’ access to digital data even with a court order," whereas civil liberties advocates "argue that encryption prevents crime by protecting people’s data from hackers." One year before the larger estimate was made, "the FBI had claimed the figure was 880."

House Passes Right to Try Bill
5 hours ago

Welcome to National Journal!

You are currently accessing National Journal from IP access. Please login to access this feature. If you have any questions, please contact your Dedicated Advisor.